[Date Prev][Date Next]
Re: ACLs on OUs and their children/leaves
-----BEGIN PGP SIGNED MESSAGE-----
Pierangelo Masarati wrote:
|> access to dn.sub="ou=users,dc=domain,dc=tld"
|> ~ by dnattr="ou" write
| This is wrong because, as the name says, you need to set "dnattr" to an
| attribute that is DN-valued (or nameAndOptionalUID-valued, like
| uniqueMember). The solution to your problem is:
| access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
| by dn.exact,expand="$2" write
| i.e. grab the terminal portion of the DN and use it to compare with the
| identity of the operation.
Thank you very much - this solved my problem.
I'm a bit puzzled, though ... I didn't find any reference to the
backreferencing capabilities of slapd's regex (expand=$2) in the manuals
that I read. Does anybody know where to find the appropriate
documentation (besides in the code)?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
-----END PGP SIGNATURE-----